Facebook faces a £500,000 ($665,000) fine from the UK’s data protection watchdog, the ICO, for failing to protect netizens' info nor tell them how their data would be harvested by apps.
The looming penalty relates to the social media giant's role in the Cambridge Analytica data-harvesting scandal – in which the personal …

COMMENTS

Conclusions?

Just like the ODPC Yahoo breach result, the ICO took action... They wrote a Report! Anyone who isn't terrified by the direction we're heading, just isn't paying attention. Facebook will stomach GDPR fines fine too.

Why? Zuckerberg's emotions betrayed his test-of-money to US/EU lawmakers. He has no intention of stopping the slurp road-show. Families using the Facebook-Stasi should be seriously worried. It feels like parents are condemning their kids them to some god awful Stasi-like future... An unholy alliance of corporate and state surveillance or interference...

All for what? Some convenience and cheap tech today. Its a dangerous tradeoff. Be prepared for your kids to ask one day: 'how did we get here Daddy'? Especially when AI makes ruthless decisions about medical procedures or drugs your family needs but can't get. Or a job your kid really wants, but is unfairly denied. Want a nice home? You've been auto-rejected! If you're on the bread line, expect more miscarriages of justice, once that's automated too. But don't take an AC's word for it:

Re: Conclusions?

There might be a valid argument for the data slurp but what I don't understand is when people call Facebook a Stasi. It's people choice to use it. It's a free service. How else do people think they will make their money from the free service. It costs a lot of money to run and maintain all those servers.

I'm not defending Facebook, people have a right to be angry with them but it's still a free service and people choose to use it or not. I choose not to use it. Simple as that really.

"But some sites require it to sign up to stuff". Well then just use a dummy account, it's what I do. So when I say I don't use it, that was a lie, I use it just for signing into some sites that have no other option but to use Facebook.

Re: Conclusions?

With Facebook there are also all the 'shadow accounts' of people who haven't actively signed up with the service, but about which Facebook knows a lot from them being included in users' messages and photographs. Their personal data is at risk, but they don't have any way of deleting it from Facebook - because they don't have an account.

How these accounts can possibly be GDPR compliant is something of a mystery to me.

Re: Conclusions?

What is particularly worrying about the shadow accounts, is that firstly people didn't consent to Facebook collecting their data on them, and data subjects have no way to request that Facebook cease processing and storing the data.

'people didn't consent to Facebook collecting their data on them'

To add to that and the point about 'don't understand when people call Facebook a Stasi'. See this ruling today. The data was sold to Experian. So, will this info make it to Facebook ultimately? Seems likely as Experian / Facebook are data partners. More unintended consequences of data sharing.

~~~~~~~~~~

"Emma's Diary faces fine for selling new mums' data to Labour - BBC News - A company that offers pregnant women and new parents health advice and gifts, faces a fine for illegally sharing more than a million people's personal data with the Labour Party. It said Lifecycle Marketing had sold the data for use in the 2017 general election campaign without disclosing it might do so. - The ICO said that on 5 May 2017, Lifecycle Marketing has supplied 1,065,200 records to the data broker Experian Marketing Services for use by Labour. - Each record included: the name of the parent who had joined Emma's Diary their home address whether children up to the age of five were present the birth dates of the mother and children - Emma's Diary is promoted by the Royal College of General Practitioners among others, and its information packs are distributed by many GPs and midwives. - It added that there may also have been a breach of the European Convention on Human Rights."

Re: Conclusions?

Just because you've never opened a Facebook account, doesn't mean they don't know anything about you.

They probably know your contact details from slurping the contacts from one of your friends or family. They might well have a picture of you, again, helpfully tagged by one of your friends.

They might even have an idea of which websites you visit, based on tracking cookies, if you ever clicked on a link to their site that a friend sent you. They can then cross reference that with the information from the wide number of other sites that have Facebook cookies.

That's just the stuff I can think of off the top of my head. I have never signed up to Facebook, but I'm sure they know something about me.

Re: Conclusions?

"Just because you've never opened a Facebook account, doesn't mean they don't know anything about you."

Is that the new "Just because you're paranoid, it doesn't mean they're not out to get you" ?

"I have never signed up to Facebook, but I'm sure they know something about me"

Quite. And as I've mentioned before, since signing up to Facebook again (long after "deleting" the old account) - and this time with a different address etc - it's interesting to see what shows up in my profile that hasn't been (directly) provided to them by me.

In particular, I'm looking at the 'advertising settings' which shows something from my phone, even though the Facebook application has never been anywhere near it - and here we see something very wrong. (I suspect Facebook may have randomly added these because of a lack of real data - but their wording says otherwise!)

'Don't understand when people call Facebook a Stasi. Its people choice to use it. Its free service'

You're not looking at things from Zuk's perspective. Many of these sources only came to light after the CA-Palantir scandal. We may never have learned about them otherwise. What else is Facebook hoovering up. Right now Zuk is getting data from:

5. All the Facebook buttons on millions of websites around the world phone home constantly. Some of it is blockable using adblockers. Some of it isn't when done Server-side (Passenger-Booking-Data etc).

Re: 'Don't understand ...

Re: Be prepared for your kids to ask one day: 'how did we get here Daddy'?

I think they're way too optimistic, the kids already don't give a flying monkey about how they got there. It's not that they've been boiled slow, they positively poured the water and turned the flame to FULL POWER, before jumping in.

But hey, given that this course is, ultimately, short-term, I see the bright side. It might be a nuclear flash, it might be an AI turning us off, but the future's bright, and f... the sapiens.

Re: Conclusions?

About this article - it mentions that we could end up facing negative decisions by AI with no way of knowing how it was arrived at.

If I, as a human being in a position of authority, make a decision, aren't I expected to be able to provide a rationale for that decision?

Surely if an AI system provided a decision with no ability to provide the rationale behind it, then the decision is not valid and could be challenged in a court of law? Perhaps I'm being overly optimistic. (There's probably no perhaps about it).

Re: negative decisions by AI

this has been done for quite some time already, the future's here already. Not by AI, because it doesn't exist, but by "algorithms" (human-designed, sure). Apparently though, it's already got to such a level of complexity that it's impossible (or too expensive, which comes to the same thing) to backtrack and see what went wrong. And if there's no path to enforce backtracking and remedy (cost optimisation, hurrah) - computer says no, there's no poit shouting down the phone line, long dead, there's nobody there.

...

there was an article on the subject somewhere... ah, here it is. Well, the orginal article by Washington Post is behind a paywall so, leftovers:

Re: Conclusions?

This is a real issue with machine learning. How much of the stuff is replicable when algorithms are proprietary and data sets aren't published? A lot of news about data science shouldn't be considered 'science' because the results aren't replicable.

But it's being pushed as the next big thing even though no one really knows how it comes to its decisions and many of those decisions and insights are of only marginal statistical significance. Dredge enough data long enough and you'll find some correlation - chances are it's bollocks, but you might make a billion.

Re: Conclusions?

Facebook will stomach GDPR fines fine too.

It's worth noting that FB have shouldered the maximum possible fine under the existing legislation (£0.5M). GDPR has provision for far greater fines (4% of annual global turnover). FB's global revenue was over $40Bn in 2017, 4% of that is $1.6Bn, or £1.2Bn. A fine of that magnitude would be a much more interesting proposition. Not least because FB may resist paying it, which would presumably be a criminal matter and involve the invocation of international extradition treaties for those in charge. That's when it would be a good time to invest in popcorn.

Re: Conclusions?

It's worth noting that FB have shouldered the maximum possible fine under the existing legislation (£0.5M)

IIRC the "prompt payment discount" is 20%, so FB will only have to cough £400k.

GDPR may allow higher fines, but lets see what actually transpires - just because they could now fine FB over a billion quid, how likely do you think that is? The regulator will have a process that considers the scale and severity of the breach, then applies aggravating and mitigating factors. Evidence from other UK regulators with "up to 10% of turnover" powers shows that these powers are not used. Which is just as well, because the impact would be far more severe on low margin companies than those with vast profits.

The problem is that financial penalties aren't hitting companies where it hurts - rather than fines that are merely passed on to either customers or investors, regulators need to suspend offending companies from their core business activity either new customer sign ups, sales, loans or (in the case of FB/Google) all data scraping. Doesn't even need to be for very long - a couple of weeks for a first offence REALLY makes a point. Ofgem have issued over quarter of a billion quid in fines to energy companies over recent years without improving anything. But the couple of times they've suspended companies from signing up new customers, I can assure you (from within the industry) that sent shivers of fear through all companies.

Re: Conclusions?

"But the couple of times they've suspended companies from signing up new customers, I can assure you (from within the industry) that sent shivers of fear through all companies."

That works for "trading companies" but with the social media they already have a huge database.... better to issue PERSONAL penalties to the directors and chief officers, including jail time for abuse of personal data especially maintaining shadow profiles, there is NO way that consent can be assumed there and as such should attract a really hash penalty for those at the very top.

Re: Conclusions?

Yup. Was going to say the same thing. Unlike many comments and the article FB should read this as a warning of what happens next time. We could also end up with the ICO and at least one EU regulator handing out 4% fines. A billion here, a billion there and it soon adds up to real money.

Re: Review of the impact of ICO Civil Monetary Penalties - 20140723

"What in your estimation makes it interesting? How does it relate to the article at hand? What conclusion did you draw from the document that makes it interesting/relevant?"

Well, it's a report by the ICO on how effective ICO fines are, so it sounds like it should be relevant. As it turns out... not so much. The impact of penalties was assessed by interviewing a few organisations who had been fined. Amazingly, they all say that they've totally become more proactive in addressing their information rights obligations. No effort appears to have been made to find out if that's actually true. In addition, out of 14 organisations interviewed, only three were private companies with the rest all being government related bodies of some sort (councils, police, etc.). No mention is made of how big those three companies were.

So the conclusion is that a local council that reports itself to the ICO for a data breach will tell you that a fine made it take data security more seriously. Any impact from fining Facebook some pocket change isn't really considered at all.

Re: Review of the impact of ICO Civil Monetary Penalties - 20140723

"Well, it's a report by the ICO on how effective ICO fines are, so it sounds like it should be relevant. As it turns out... not so much. The impact of penalties was assessed by interviewing a few organisations who had been fined. Amazingly, they all say that they've totally become more proactive in addressing their information rights obligations."

They probably received a discount against the fine for taking part in the survey and giving suitable answers.

Re: Review of the impact of ICO Civil Monetary Penalties - 20140723

"Give me some clue as to why it's worthwhile to visit an external site and download and read a PDF document of unknown content and length."

To find out what's in it. Or would you prefer to rely on someone you don't know and whose abilities you don't know understanding not only the report but also its significance to your particular situation - which they don't know. The latter doesn't really seem like a good way to keep yourself informed if it's your standard practice.

Re: Review of the impact of ICO Civil Monetary Penalties - 20140723

> To find out what's in it. Or would you prefer to rely on someone you don't know and whose abilities you don't know understanding not only the report but also its significance to your particular situation - which they don't know.

Wait a minute, so some random has linked a random document to a story, with no topical comment, no indication what it's about and you say I should read it to see if it's relevant?

Is the document porn?

Or a treatise on the way to skin a cat?

Or a dissertation on the speed of an unladen swallow?

An intelligent design essay?

Cock pics?

Why Scientology is good for you and why you should join?

Do you read every random document everyone links in comments without knowing what the topic of the document is at least?

How about "Here's a report from the ICO on the impact of paying fines that seems to indicate that the fines do/don't have usefulness". At least then I'd have a clue what the linked document was (allegedly) about and then I can decide if I'm interested enough in that particular topic to open it and read it.

Re: Review of the impact of ICO Civil Monetary Penalties - 20140723

"Wait a minute, so some random has linked a random document to a story, with no topical comment, no indication what it's about and you say I should read it to see if it's relevant?"

No indication of what it's about? It's a document entitled "Review of the impact of ICO Civil Monetary Penalties", hosted at the ICO's own site, posted in response to an article about ICO civil monetary penalties and which comments how ineffective they are likely to be. While I can sympathise with your sentiment in response to people posting random links with no comment, in this case it really doesn't take a genius to figure out what the linked document might be about and how it might be relevant.

Re: ethical pause

Surely this isn't fair on them

Now I'm not one to stand up for facebook, but I do believe that old saying that I was always taught about the ol' information superhighway (yes, I'd love to bring that back lol) where common knowledge was 'if the service is free, you are the product.'

These moaning kids don't seem to understand that they signed up for this, hell they even agreed to it in the terms and conditions, even if those were something along the lines of the Big Zucker-B owning their souls for all eternity, and they still sucked it up and uploaded all of their data to Him without thought.

Then someone came along and said "omg, they SOLD the data we gave them for FREE! All I got was a communications system and an infinite photo upload depository. For free."

I know I'm doing the same for apple simply by owning a product, and bY Google (by its own definition of flogging me for ads every second of every day), but FFS what did people really expect? They'd hold on to all of their photos and thoughts for free, and they're going to continue to do so without making a penny from them? COME ON! If you're really that stupid you probably deserve to vote for christmas because an advert on Facebook told you to. Gobble gobble.

All hail the hypnotoad!

Disclaimer: I have no social media accounts (apart from enforced SSO test accounts at work) and never have done. My voting data is even more safe as it's either Labour or bust, and as I'm in the North it's normally bust. As me old pa said "they're all bastards anyway, just get on with it yourself".

Re: Surely this isn't fair on them

Re: Surely this isn't fair on them

It might be a free service but that does not give the company providing that service the right to break the law.

The law sets out everybody's expectations, it's a standard from which everybody works and complies. The public knows what their rights are and the suppliers of services know what they have to provide.

It's completely inappropriate then to say "There is a legal standard which you must follow, but if you're providing a free service, you can totally ignore it". How do customers know what their rights are if the providers of free services are given complete carte blanche to ignore the standard and do whatever they want?

Re: Ouch... that must have hurt

Re: Ouch... that must have hurt

Suerely it's an unnoticeable sum to Facebook, but unfortunately ICO can't fine them more, that's the limit prescribed by law. Surely law needs to allow setting of fines on a 'per user' basis. eg £1k / user. You're careless with 1 million user profiles, you're on the hook for a billion quid.

Re: Ouch... that must have hurt

While the fine in itself is of no consequence to Facebook this may still come back to bite them down the line: I'd imagine a legal argument against, say, Facebook like / share buttons all over the place would be bolstered by pointing out repeated prior violations.

“to reflect on their responsibilities in the era of big data "

Something missing

Yes, these scumbag companies (The BBC report lists others) and their disturbing lack of ethics deserve to be held to account, but what about the political results of these activities? There appears to be complete silence about that. Is it simply that all political colours were up to their necks in this, so politics over the last 10 years was all about a financial arms race, or do we simply not have the leadership to draw any societal conclusions from these scummy activities?

Re: Something missing

Politicians are exactly the same as these big corporates, they want to gain as much information about us as possible to sell us their product (socialist utopia, free market nirvana - both are impossible BS).

The further away from reqgular interaction with ordinary people they get, the more sociopathic they become.

Re: Max Fine

That is probably true for the Data Protection Act, which is now defunct. But GDPR was specifically developed with social media companies in mind, given the way the data was being shared. This was recognised by the EU. Under GDPR, there is no single fixed maximum fine which applies to everybody.

The maximum fine payable by any company is dependent upon their company turnover.

The fine payable, is determined by the ICO, taking many factors in to consideration, including how cooperative the company has been with the ICO, and lies between zero and the upper limit calculated from the company's global turnover.

Re: Max Fine

"The fine payable, is determined by the ICO, taking many factors in to consideration ... between zero and the upper limit calculated from the company's global turnover."

The fact that the ICO went for the maximum here might be a good indication of how they'll respond to similar factors in the future. It should be a pretty good warning. Whether it'll be heeded remains to be seen but a max fine under GDPR should certainly get board level attention.

Re: Max Fine

£500,000 is the maximum fine, and yet it is parking ticket for the uber-rich. Why is there a maximum fine?

Because that's an old law. The GDPR replaces it with much larger fines - it would have been in billions under GDPR - but because of when the offences were committed, they can only fine what was the maximum at the time.

Re: Max Fine

"There are people in British prisons for stealing sandwiches when they are hungry, smoking a joint or not having a BBC TV licence. Let those losers out and make some space for some corporate criminals."

No there aren't.

1) The law has since changed, the fine is now a certain percentage of global turnover or €20m, whichever is greater. This is the GDPR, you might have heard about it. There is also a criminal investigation happening, which has the potential to result in jail time if the stronger offences are proved.

2) Nobody is in jail for not having a TV licence. People are in jail for not paying the resulting fine. If you don't pay court fines, I don't know of anywhere in the world where you don't end up in jail.

3) A few people were jailed for stealing bottles of water during a riot, and as such were charged with rioting, not theft. You would rarely get jailed for stealing sandwiches, as in never.

4) More or less nobody is in UK jail for possession of marijuana for personal use. The only example I could find was a British man who smoked cannabis in the UK, then flew to Dubai, where we was then arrested. You know, in Dubai.

Re: Max Fine

@davcrav

It's tangential to my point but I was being serious with my examples. I did prisoner support a dozen years ago and met people inside for not paying their TV licence, stealing a sandwich and possessing marijuana.

The Ministry of Justice said that from 2005-2014, a total of 353 people were handed custodial sentences for not paying fines for not having a TV licence. That's just England and Wales so add another 35 for Scotland. I fully admit they were jailed for not paying the fines but if they can't afford the licence then they can't afford the fines, so it's a distinction without a difference. I think the licence fee is unnecessary, and the BBC should be self-funding by selling it's content and cutting its costs. There is no logic in why it is illegal to watch live ITV.

I realise the prosecution of possession of marijuana has changed in the past decade, and so has the categorisation. They all are just labelled 'drugs offences' now in the official documents I can find, regardless of class. I met various prisoners who were in for possession back then, and I can point to numerous cases of people in prison for growing. Complete waste of police and prison expense.

One of my friends was imprisoned for stealing a policeman's sandwich, after he'd arrested her for stealing a sandwich from a shop. She was a persistent shoplifter but was only charged with the one sandwich. Albeit she also pointed out the officer was a "fat peeg". She'd lived on the streets with no income for a year because the DWP wrongly told her she couldn't claim benefits as a Spaniard. Again, now all the data just lists 'shoplifters' rather than the seriousness of the thefts.

Re: Max Fine

There is a maximum fine under the now defunct Data Protection Act, there is no maximum fine under GDPR. There is an upper limit which is determined by a percentage of the company's turnover, and the fine, in pounds sterling, can be anywhere from 0 to that upper limit, but the higher the company turnover, the higher the upper limit There is no limit to the upper limit.

In Facebook's case the fine they would pay under GDPR would be anywhere from zero to $1.6 billion.

A company with a higher turnover, the upper limit on the fine would be higher.

Re: Max Fine

"And why aren't there prison sentences as an option for the judge?"

There are but you need to understand the processes at work here.

Although it's commonly referred to as a fine it's a Civil Monetary Penalty (CMP). The key word there is "civil"; the ICO can apply that, it can't apply a fine which would be a criminal matter. Criminal penalties are applied by a court of law and the normal ICO procedure doesn't go to court although it could end up there if the miscreant doesn't pay up.

Like a fine, it's only a court that can hand out prison sentences. Off hand I'm not sure what the process is for the ICO to take a case against the individuals to court in that way but there must be one because the relevant Act has provision for it.

Follow the money

It would be nice if sharing data without the user's permission was a criminal offence and punished accordingly. It would also be good if legal action could be taken against the individuals involved as well as the organisations they were working for. Cambridge has billions in assets, they could also afford a fine of a few million.

I bet the £500k doesn't cover the costs of the investigation. The ICO doesn't have enough powers to fine people. It should really be part of HMRC and treat data like cash and freeze assets when it goes missing.

I didn't know my government was selling democracy so cheaply

Seems inconsistant

Firstly we have to remember here that the incident occurred prior to GDPR so the requirements and penalty's differ from what they would be today.

Regardless of Facebook's ability to pay, the fine seems too high in comparison to other cases.

TalkTalk caused potential harm to a large number of its customers by failing to implement basic security controls, and failed to act on warnings it had previously been given. In other words it was considered to have been willfully negligent.

Facebook is being fined for not being quite clear enough about what data was being shared with who and being lied to by Cambridge Analytica who said they had deleted the data when Facebook became aware it was being misused but in fact didn't.

So they did tell users what they were letting happen with their information, and they did act when somebody did something incorrect with it. Not willful and not negligent and yet they get fined more than they would have done if they had failed to try and protect the information.

Re: A poorly formed...

Re: fucking useless cunts

And once you found the oh-so-f-obvious-answer, ask yourself "why"? And once you found the oh-so-f-obvious-answer to "why?", ask yourself "what can I do about it?" And once you found the oh-so-f-obvious answer (democracy, blah-blah-blah-blah-blah-blah) - don't you even DARE thinking about alternative solutions, cause those you put in the comfy chair, will do _exactly_ the same.

500k was under the old rules. The new fines are up to €20 million or 4 per cent of turnover (whichever is greater). Unfortunately because of when this happened the old rules apply. They wont get off so lightly moving forward.

This is the modern UK... our rights come a distant second to that of the parasites looking to rape our data for an easy buck. Theres always a back door.... a nod and a wink and a token fine.... Theres a maximum fine... maybe there should be a statutory minimum as a start point... with costs added for aggravating factors...

Then MAYBE I would have some faith in the idea that there is any protection for citizens data.

If it had been less than the maximum amount (and I'm not sure the maximum amount has ever been applied in the past) you might have had a point. Although the ICO can do no more than what amounts, given FB's scale, to firing a warning shot it is nevertheless a warning shot. If FB has any wit they'll anticipate very big penalties under GDPR. And it'll be no help to them that they've managed to piss off Parliament by the snubbing them so your reflex cynicism might well be misleading you.

Re: Is this joke?

Pissing in the data pool ?

Having worked with *massive* data sets for quite a while, whilst I applaud the ICOs action, and certainly don't condone law breaking, it might make people sleep a little easier if I revealed the dirty secret of data analytics, which is that - quite simply - about 60-80% of data is crap. And I mean really crap. Not only useless, but potentially dangerously so.

Ask yourself this question: How many times have *you* lied when submitting responses ? And although you'd think analytics would winkle out the deception, perversely the reinforce it.

I am also starting to wonder if hostile nations cyber capabilities hasn't been used to screw up commercial and political datasets for quite a while.

Re: Pissing in the data pool ?

Ever since House we're keenly aware that everybody lies, and also that the immediate very very simple way to get around that is not bothering to _ask them_ anything but rather to observe their actions instead. Which is exactly what I would expect 99% of "gathered data" to consist of.